Audit of the MassHire Department of Career Services Overview of Audited Entity

The MassHire Department of Career Services (MDCS) is located at 100 Cambridge Street in Boston and was established by Section 1 of Chapter 23H of the Massachusetts General Laws. On August 29, 2018, the Executive Office of Labor and Workforce Development commissioned MassHire as the rebranding for all Massachusetts Workforce Development Systems, renaming the Department of Career Services as the MassHire Department of Career Services. MDCS operates under the direction of its secretariat, the Executive Office of Labor and Workforce Development. Section 1 of Chapter 23H of the General Laws states that MDCS’s mission is to “develop, coordinate, and maintain a coherent workforce development system that fills the needs of employers for a skilled workforce and promotes lifelong learning among employees.” Website accessibility is also important to achieving MDCS’s mission.

In fiscal year 2022, MDCS aided more than 72,000 job seekers (including those seeking unemployment insurance) and supported more than 19,000 companies. In fiscal year 2022, MDCS was granted $33,500,000 in state appropriations and $107,040,983 in federal grants. In fiscal year 2023, MDCS was granted $43,475,000 in state appropriations and $59,141,058 in federal grants. MDCS employed 203 personnel members during the audit period.

According to MDCS management, in order to carry out its mission of maintaining a workforce development system, MDCS oversees 28 physical career centers that job seekers can visit to access its services, 4 of which are focused on assisting youth job seekers. These career centers offer job seekers services and events like career guidance, resume writing, workshops, and trainings. Across the 28 career centers, there are 18 websites in addition to the main MDCS website. All of these career centers use a centralized database operated by MDCS for the storage and sharing of information.

JobQuest is an online service offered by MDCS that serves as a job board that job seekers can use to search for potential employment in Massachusetts. Job seekers can create a profile on JobQuest, which allows them to save jobs to view in the future and match their skills to current job openings. JobQuest also has lists of workshops and trainings that users can sign up for. Workshops include events such as résumé workshops or recruitment fairs, while training courses typically help prepare job seekers for a job. 

In 1999, the World Wide Web Consortium (W3C), an international nongovernmental organization responsible for internet standards, published the Web Content Accessibility Guidelines (WCAG) 1.0 to provide guidance on how to make web content more accessible to those with disabilities.

In 2005, the Massachusetts Office of Information Technology,¹ with the participation of state government webpage developers, including developers with disabilities, created the Enterprise Web Accessibility Standards. These standards required all state executive branch agencies to follow the guidelines in Section 508 of the Rehabilitation Act amendments of 1998. These amendments went into effect in 2001 and established precise technical requirements to which electronic and information technology (IT) products must adhere. This technology includes, but is not limited to, products such as software, websites, multimedia products, and certain physical products, such as standalone terminals.

In 2008, W3C published WCAG 2.0. In 2014, the Massachusetts Office of Information Technology added a reference to WCAG 2.0 in its Enterprise Information Technology Accessibility Standards.

In 2017, the Executive Office of Technology Services and Security (EOTSS) was designated as the Commonwealth’s lead IT organization for the executive branch. EOTSS is responsible for the development and maintenance of the Enterprise Information Technology Accessibility Standards and the implementation of state and federal laws and regulations relating to accessibility. As the principal executive agency responsible for coordinating the Commonwealth’s IT accessibility compliance efforts, EOTSS supervises executive branch agencies in their efforts to meet the Commonwealth’s technology accessibility requirements.

In 2018, W3C published WCAG 2.1, which built on WCAG 2.0 to improve web accessibility on mobile devices and to further improve web accessibility for people with visual impairments and cognitive disabilities. EOTSS published the Enterprise Information Technology Accessibility Policy in 2021 to meet Levels A and AA of WCAG 2.1.

Timeline of the Adoption of Website Accessibility Standards by the Federal Government and Massachusetts

While EOTSS establishes standards for executive branch agencies, individual agencies such as MDCS are responsible for ensuring that their IT solutions and web content fully comply with EOTSS’s accessibility standards. When publishing digital content to Mass.gov or other platforms, state agencies must comply with EOTSS’s Web Design Guidelines, which were published in 2020 based on the federal 21st Century Integrated Digital Experience Act. EOTSS’s Web Design Guidelines help state agencies evaluate their design and implementation decisions in meeting state accessibility requirements.

Government websites are an important way for the general public to access government information and services. Deloitte’s² 2023 Digital Citizen Survey found that 55% of respondents preferred to interact with their state government services through a website instead of face-to-face interaction or a call center. Commonwealth of Massachusetts websites have millions of webpage views each month.

However, people do not interact with the internet uniformly. The federal government and nongovernmental organizations have established web accessibility standards intended to make websites more accessible to people with disabilities such as visual impairments, hearing impairments, and others. The impact of these standards can be significant, as the federal Centers for Disease Control and Prevention estimate that 1,348,913 adults (23% of the adult population) in Massachusetts have a disability, as of 2021.

According to W3C, people with disabilities use assistive technologies and adaptive strategies specific to their needs to navigate web content. Examples of assistive technologies include screen readers, which read webpages aloud for people who cannot read text; screen magnifiers for individuals with low vision; and voice recognition software for people who cannot (or do not) use a keyboard or mouse. Adaptive strategies refer to techniques that people with disabilities employ to enhance their web interaction.³ These strategies might involve increasing text size, adjusting mouse speed, or enabling captions.

To make web content accessible to people with disabilities, developers must ensure that various components of web development and interaction work together. This includes text, images, and structural code; users’ browsers and media players; and various assistive technologies.

Accessibility Features of a Website

IT governance refers to the processes that state agencies use to manage their IT resources. EOTSS documents these processes in standards that executive branch state agencies are required to follow. Specifically, Section 2 of Chapter 7D of the General Laws states,

Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

IT governance processes include information classification, information disposal, information system classification, and the restriction of information access.

EOTSS’s Asset Management Standard IS.004⁴ requires that state agencies establish classification or sensitivity levels for all the information in their custody. These classification levels are meant to ensure that information is protected in line with its value. EOTSS’s Asset Management Standard IS.004 lists three levels of classification: public, internal use, and confidential.

The public classification involves information that is viewed by the public (e.g., press releases, information on public-facing websites, or advertising for services). The internal use classification involves information that does not reach the level of confidential but should not be viewed by the public (e.g., internal training materials or policies). The confidential classification is the highest level and involves information that should only be accessed by personnel members who need the information to perform their job duties (e.g., personnel performance documentation, personally identifiable information [PII], federal tax information, or passwords). Confidential information is sensitive by nature and could cause damage to the Commonwealth and its residents if it is compromised.

EOTSS Asset Management Standard IS.004 requires that all executive branch state agencies establish information disposal procedures for information in their custody. Section 6.4.2.4 of this standard states that each agency must “identify and securely delete stored information that exceeds defined retention periods on a quarterly basis.” Information disposal reduces the risk of data becoming compromised by limiting the amount of data that could potentially be stolen. Additionally, specific types of information (e.g., tax data) are subject to state retention schedules with which agency policymakers must comply. 

EOTSS Asset Management Standard IS.004 requires that all executive branch state agencies perform a business impact analysis⁵ or a risk assessment⁶ in order to classify their information systems. Classifying information systems promotes a consistent approach to risk management and disaster recovery. Information systems classifications are separated into the following four levels:

• low: public information;
• medium: internal use information;
• high: confidential information or business support systems (e.g., email); and
• critical: information with regulatory requirements (e.g., information involving the Health Insurance Portability and Accountability Act or federal taxes).

Information systems contain diverse arrays of data, all of which should be classified in order to better protect the data within. If an information system is not properly classified, the data within can become vulnerable.

EOTSS Asset Management Standard IS.004 requires that all executive branch state agencies restrict access to confidential information to a narrow subset of personnel members who have a business need to access said information. Specifically, this policy lists PII as confidential information that an agency may have in its custody. Limiting access to PII prevents it from being used in a way that could cause harm to the Commonwealth and its residents, business partners, and customers.